Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Sustaining Cyber Awareness: The Long-Term Impact of Continuous Phishing Training and Emotional Triggers

Rebeka Toth, Richard A. Dubniczky, Olga Limonova, Norbert Tihanyi

TL;DR

Phishing remains a leading threat due to the human factor. The authors conduct a 12-month longitudinal field study across 20 organizations with over 1,300 employees and more than 13,000 simulated phishing emails to test continuous training and emotional cues. They find that mandatory embedded training with just-in-time feedback substantially reduces susceptibility (about a 52% reduction within 6–8 months) and approaches industry benchmarks, though onboarding and turnover introduce fluctuations. Emotional cues have modest effects, with altruistic and internal-source cues being more influential, and cue combinations increasing impact; the work supports sustained, adaptive awareness programs and provides open resources for reproducibility.

Abstract

Phishing constitutes more than 90\% of successful cyberattacks globally, remaining one of the most persistent threats to organizational security. Despite organizations tripling their cybersecurity budgets between 2015 and 2025, the human factor continues to pose a critical vulnerability. This study presents a 12-month longitudinal investigation examining how continuous cybersecurity training and emotional cues affect employee susceptibility to phishing. The experiment involved 20 organizations and over 1,300 employees who collectively received more than 13,000 simulated phishing emails engineered with diverse emotional, contextual, and structural characteristics. Behavioral responses were analyzed using non-parametric correlation and regression models to assess the influence of psychological manipulation, message personalization, and perceived email source. Results demonstrate that sustained phishing simulations and targeted training programs lead to a significant reduction in employee susceptibility, halving successful compromise rates within six months. Additionally, employee turnover introduces measurable fluctuations in awareness levels, underscoring the necessity of maintaining continuous training initiatives. These findings provide one of the few long-term perspectives on phishing awareness efficacy, highlighting the strategic importance of ongoing behavioral interventions in strengthening organizational cyber resilience. In order to support open science, we published our email templates, source code, and other materials at https://github.com/CorporatePhishingStudy

Sustaining Cyber Awareness: The Long-Term Impact of Continuous Phishing Training and Emotional Triggers

TL;DR

Phishing remains a leading threat due to the human factor. The authors conduct a 12-month longitudinal field study across 20 organizations with over 1,300 employees and more than 13,000 simulated phishing emails to test continuous training and emotional cues. They find that mandatory embedded training with just-in-time feedback substantially reduces susceptibility (about a 52% reduction within 6–8 months) and approaches industry benchmarks, though onboarding and turnover introduce fluctuations. Emotional cues have modest effects, with altruistic and internal-source cues being more influential, and cue combinations increasing impact; the work supports sustained, adaptive awareness programs and provides open resources for reproducibility.

Abstract

Phishing constitutes more than 90\% of successful cyberattacks globally, remaining one of the most persistent threats to organizational security. Despite organizations tripling their cybersecurity budgets between 2015 and 2025, the human factor continues to pose a critical vulnerability. This study presents a 12-month longitudinal investigation examining how continuous cybersecurity training and emotional cues affect employee susceptibility to phishing. The experiment involved 20 organizations and over 1,300 employees who collectively received more than 13,000 simulated phishing emails engineered with diverse emotional, contextual, and structural characteristics. Behavioral responses were analyzed using non-parametric correlation and regression models to assess the influence of psychological manipulation, message personalization, and perceived email source. Results demonstrate that sustained phishing simulations and targeted training programs lead to a significant reduction in employee susceptibility, halving successful compromise rates within six months. Additionally, employee turnover introduces measurable fluctuations in awareness levels, underscoring the necessity of maintaining continuous training initiatives. These findings provide one of the few long-term perspectives on phishing awareness efficacy, highlighting the strategic importance of ongoing behavioral interventions in strengthening organizational cyber resilience. In order to support open science, we published our email templates, source code, and other materials at https://github.com/CorporatePhishingStudy

Paper Structure

This paper contains 19 sections, 4 figures, 1 table.

Table of Contents

  1. Introduction
  2. Main contribution
  3. Ethical Considerations
  4. Background and Related Work
  5. Methodology
  6. Organizational Context
  7. Sample Group
  8. Cybersecurity Awareness and Training Program
  9. Psychological Impact of Cyberattacks Model
  10. Email Templates
  11. Procedure
  12. Data Analysis
  13. Sample Size and Power
  14. Discussion and Results
  15. Training Effect on Phishing Susceptibility
  16. ...and 4 more sections

Figures (4)

  • Figure 1: Overview of the full research workflow, illustrating each stage from phishing email template design through the email campaign, data collection, trainings, and statistical analysis.
  • Figure 2: Percentage of successful phishing attempts each month over 12 months for all 20 companies. The industry average is measuring companies that have ongoing training programs (KnowBe4 report knowbe4_2025_phishing).
  • Figure 3: Distribution of participants by the number of unsafe actions recorded during phishing simulations. No individual engaged in unsafe behavior more than six times.
  • Figure 4: Effect of contextual and emotional cues on phishing success compared to baseline calculated using Spearman's rank correlation.